rules/windows/builtin/win_possible_dc_shadow.yml

title: Possible DC Shadow
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
description: Detects DCShadow via create new SPN
status: experimental
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019/10/25
references:
    - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
    - https://twitter.com/gentilkiwi/status/1003236624925413376
    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
    - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
tags:
    - attack.credential_access
    - attack.t1207
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4742
        ServicePrincipalNames|contains: 'GC/'
    selection2:
        EventID: 5136
        LDAPDisplayName: servicePrincipalName
        Value|startswith: 'GC/'
    condition: selection1 OR selection2
falsepositives:
    - Exclude known DCs
level: high
Update and rename win_possible_dc_sync.yml to win_possible_dc_shadow.yml 2020-05-05 16:51:35 +02:00			`title: Possible DC Shadow`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`description: Detects DCShadow via create new SPN`
ilyas ochkov contribution 2019-10-29 03:44:22 +03:00			`status: experimental`
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00			`author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah`
spaces fix 2019-10-29 03:59:07 +03:00			`date: 2019/10/25`
ilyas ochkov contribution 2019-10-29 03:44:22 +03:00			`references:`
			`- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml`
			`- https://twitter.com/gentilkiwi/status/1003236624925413376`
			`- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2`
add additional reference 2020-05-05 19:25:33 +02:00			`- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d`
ilyas ochkov contribution 2019-10-29 03:44:22 +03:00			`tags:`
			`- attack.credential_access`
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00			`- attack.t1207`
ilyas ochkov contribution 2019-10-29 03:44:22 +03:00			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00			`selection1:`
ilyas ochkov contribution 2019-10-29 03:44:22 +03:00			`EventID: 4742`
Update win_possible_dc_shadow.yml 2020-10-15 15:45:55 -03:00			`ServicePrincipalNames\|contains: 'GC/'`
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00			`selection2:`
			`EventID: 5136`
Update win_possible_dc_shadow.yml 2020-05-05 16:52:08 +02:00			`LDAPDisplayName: servicePrincipalName`
Update win_possible_dc_shadow.yml 2020-10-15 15:45:55 -03:00			`Value\|startswith: 'GC/'`
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00			`condition: selection1 OR selection2`
ilyas ochkov contribution 2019-10-29 03:44:22 +03:00			`falsepositives:`
Update win_possible_dc_sync.yml 2020-05-05 16:50:13 +02:00			`- Exclude known DCs`
ilyas ochkov contribution 2019-10-29 03:44:22 +03:00			`level: high`